Home / Mobile / Trojan program ‘Neverquest’ a new threat to online banking users, researchers say

Attackers could start to aggressively distribute this malware in the near future, Kaspersky Lab researchers warn

Trojan program ‘Neverquest’ a new threat to online banking users, researchers say

window.ntvConfig = window.ntvConfig || {} ;
window.ntvConfig.keyValues = window.ntvConfig.keyValues || {};
var segs = localStorage.getItem(‘_pnativo’);
if (segs) {
window.ntvConfig.keyValues.permutive = JSON.parse(segs).join(“,”);
}
https://s.ntv.io/serve/load.js
var prodNames = ”;
var prodManufacturers = ”;
var prodCategories = ”;
var prodVendors = ”;

var insiderSignedIn = document.cookie.indexOf(“nsdr”) > -1; //check if Insider cookie exists
var idg_uuid = $.cookie(‘idg_uuid’) || ”;

var dlJobFunction = ”;
var dlJobPosition = ”;
var dlIndustry = ”;

if (insiderSignedIn) {
var insiderToken = IDG.insiderReg.readCookie(“nsdr”);
var tokens = IDG.insiderReg.readCookieProperty(insiderToken);
if (!(tokens[‘jobPosition’]===undefined)) {
//dlJobPosition = tokens[‘jobPosition’];
//OC-1647 change to indicate this data was remove
dlJobPosition = “removed”;
}
if (!(tokens[‘jobFunction’]===undefined)) {
dlJobFunction = tokens[‘jobFunction’];
}
if (!(tokens[‘industry’]===undefined)) {
dlIndustry = tokens[‘industry’];
}
}

insiderSignedIn = insiderSignedIn.toString(); //per Infotrust this needs to be a string, not a boolean

var sincePublished = ‘2056 days’;
sincePublished = sincePublished.split(” “)[0];

//get edition from countryCode
var edition = ”;
if (typeof countryCode !== ‘undefined’ && countryCode !== “”) {//should be defined in locales-editions.jsp if brand has editions
edition = countryCode.toLowerCase();
}

dataLayer=[{
‘articleId’: ‘2172233’,
‘articleDisplayId’:’1′,
‘articleHasVideo’:’false’,
‘articleLocale’: ‘global’,
‘articleTitle’: ‘Trojan program ‘Neverquest’ a new threat to online banking users, researchers say’,
‘articleType’: ‘News’,
‘audience’:’enterprise’,
‘author’:’Lucian Constantin’,
‘blogName’:”,
‘brandpost’: ‘false’,
‘categoryIdList’:’3390,2206,3524,3574,2101,3856,3303,3388,3688,3311,3346,3507,3513,3523,4144′,
‘categoryIdPrimary’: ‘3390’,
‘contentStrategy’: ”,
‘contentType’:’news’,
‘datePublished’:’2014-05-27′,
‘dateUpdated’:’2014-05-27′,
‘daysSincePublished’:”2056″,
‘daysSinceUpdated’:’2056′,
‘de_normalized_company_name’:$.cookie(‘de_normalized_company_name’),
‘displayType’:’article’,
‘edition’:edition,
‘environment’:’production’,
‘ga_enabled’:’true’,
‘gaTrackingId’:’UA-300704-13′,
‘geolocEnabled’:’true’,
‘goldenTaxonomyIdPrimary’: ‘665’,
‘goldenTaxonomyIdList’: ‘941,675,126,347,944,973,454,144,987,949,986,67,68,1140’,
‘industry’: dlIndustry,
‘insiderSignedIn’:insiderSignedIn,
‘ip_normalized_company_name’:$.cookie(‘ip_normalized_company_name’),
‘isBlog’:’false’,
‘isInsiderContent’:’false’,
‘isICN’: ‘false’,
‘jobFunction’: dlJobFunction,
‘jobPosition’: dlJobPosition,
‘oneRegPlacementID’:oneRegPlacementID,
‘pageNumber’:’1′,
‘platform’:’Web’,
‘podcastSponsored’: ‘false’,
‘primaryCategory’: ‘byod’,
‘ancestorGoldenCategories’: ”,
‘primaryCategoryList’: ‘security,small business,mdm,pcs,cyber crime,network security,wi-fi,network management,access control,data breach,fraud,malware,spyware,kaspersky lab’,
‘primaryAncestorCategoryList’: ‘byod,mobile’,
‘prodCategories’:prodCategories.slice(‘|’, -1),
‘prodManufacturers’:prodManufacturers.slice(‘|’, -1),
‘prodNames’:prodNames.slice(‘|’, -1),
‘prodVendors’:prodVendors.slice(‘|’, -1),
‘property’: ‘itnews’,
‘propertyCountry’:’US’,
‘purchaseIntent’:”,
‘skimlinksId’:’111346X1569479′,
‘source’:’idg news service’,
‘sponsorName’:”,
‘suppressMonetization’: supMontMods.toString(),
‘tags’: ”,
‘userId’:idg_uuid,
‘videoAutoplay’:’false’,
‘youtubeId’:”
}];

var _sf_async_config={};

_sf_async_config.uid = 29363;

_sf_async_config.path = “/article/2172233/trojan-program—39-neverquest–39–a-new-threat-to-online-banking-users–researchers-say.html”;
_sf_async_config.title = “Trojan program 'Neverquest' a new threat to online banking users, researchers say | ITNews”;
_sf_async_config.domain = “itnews.com”;
if(window.location.href.indexOf(“video”)&&true) {
_sf_async_config.playerdomain= _sf_async_config.domain.replace(“www.”,””);
}

_sf_async_config.useCanonical = true;

_sf_async_config.sections = “byod”;
_sf_async_config.authors=”Lucian Constantin”;


var _vwo_code=(function(){
var account_id=306194,
settings_tolerance=2000,
library_tolerance=2500,
use_existing_jquery=false,
/* DO NOT EDIT BELOW THIS LINE */
f=false,d=document;return{use_existing_jquery:function(){return use_existing_jquery;},library_tolerance:function(){return library_tolerance;},finish:function(){if(!f){f=true;var a=d.getElementById(‘_vis_opt_path_hides’);if(a)a.parentNode.removeChild(a);}},finished:function(){return f;},load:function(a){var b=d.createElement(‘script’);b.src=a;b.type=’text/javascript’;b.innerText;b.onerror=function(){_vwo_code.finish();};d.getElementsByTagName(‘head’)[0].appendChild(b);},init:function(){settings_timer=setTimeout(‘_vwo_code.finish()’,settings_tolerance);var a=d.createElement(‘style’),b=’body{opacity:0 !important;filter:alpha(opacity=0) !important;background:none !important;}’,h=d.getElementsByTagName(‘head’)[0];a.setAttribute(‘id’,’_vis_opt_path_hides’);a.setAttribute(‘type’,’text/css’);if(a.styleSheet)a.styleSheet.cssText=b;else a.appendChild(d.createTextNode(b));h.appendChild(a);this.load(‘//dev.visualwebsiteoptimizer.com/j.php?a=’+account_id+’&u=’+encodeURIComponent(d.URL)+’&r=’+Math.random());return settings_timer;}};}());_vwo_settings_timer=_vwo_code.init();

var dataLayer = window.dataLayer = window.dataLayer || [];
var adBlockStatus = ‘false’;

function AdBlockEnabled() {
var ad = document.createElement(‘ins’);
ad.className = ‘AdSense’;
ad.style.display = ‘block’;
ad.style.position = ‘absolute’;
ad.style.top = ‘-1px’;
ad.style.height = ‘1px’;

if (document.body != null) {
document.body.appendChild(ad);
var isAdBlockEnabled = !ad.clientHeight;
document.body.removeChild(ad);
}

return isAdBlockEnabled;
}
// AdBlockEnabled() was successful document.body not null
if (AdBlockEnabled() != undefined) {
adBlockStatus = AdBlockEnabled().toString();
}
// not successful – look for ads.js
if (document.body == null) {
if (window.canRunAds === undefined) {
adBlockStatus = ‘true’;
} else {
adBlockStatus = ‘false’;
}
}

dataLayer.push({
‘adBlockStatus’: adBlockStatus
});

Use commas to separate multiple email addresses

Your message has been sent.

There was an error emailing this page.

By

CSO Senior Writer,

IDG News Service |


PT

A new Trojan program that targets users of online financial services has the potential to spread very quickly over the next few months, security researchers warn.

The malware was first advertised on a private cybercrime forum in July, according to malware researchers from Kaspersky Lab who dubbed it Trojan-Banker.Win32/64.Neverquest.

[ALSO: The worst data breaches of 2013]

“By mid-November Kaspersky Lab had recorded several thousand attempted Neverquest infections all around the world,” said Sergey Golovanov, malware researcher at Kaspersky Lab, Tuesday in a blog post. “This threat is relatively new, and cybercriminals still aren’t using it to its full capacity. In light of Neverquest’s self-replication capabilities, the number of users attacked could increase considerably over a short period of time.”

Neverquest has most of the features found in other financial malware. It can modify the content of websites opened inside Internet Explorer or Firefox and inject rogue forms into them, it can steal the username and passwords entered by victims on those websites and allow attackers to control infected computers remotely using VNC (Virtual Network Computing).

However, this Trojan program also has some features that make it stand out.

Its default configuration defines 28 targeted websites that belong to large international banks as well as popular online payment services. However, in addition to these predefined sites, the malware identifies Web pages visited by victims that contain certain keywords such as balance, checking account and account summary, and sends their content back to the attackers.

This helps attackers identify new financial websites to target and build scripts for the malware to interact with them.

Once attackers have the information they need to access a user’s account on a website, they use a proxy server to connect to the user’s computer via VNC and access the account directly. This can bypass certain account protection mechanisms enforced by websites because unauthorized actions like transferring money are done through the victim’s browser.

“Of all of the sites targeted by this particular program, fidelity.com — owned by Fidelity Investments — appears to be the top target,” Golovanov said. “This company is one of the largest mutual investment fund firms in the world. Its website offers clients a long list of ways to manage their finances online. This gives malicious users the chance to not only transfer cash funds to their own accounts, but also to play the stock market, using the accounts and the money of Neverquest victims.”

The methods used to distribute Neverquest are similar to those used to distribute the Bredolab botnet client, which became one of the most widespread malware on the Internet in 2010.

Neverquest steals log-in credentials from FTP (File Transfer Protocol) client applications installed on infected computers. Attackers then use these FTP credentials to infect websites with the Neutrino exploit pack, which then exploits vulnerabilities in browser plug-ins to install the Neverquest malware on the computers of users visiting those sites.

The Trojan program also steals SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol) credentials from email clients and sends them back to attackers so they can be used to send spam emails with malicious attachments. “These emails are typically designed to look like official notifications from a variety of services,” Golovanov said.

In addition, Neverquest steals account log-in information for a large number of social networking websites and chat services accessed from infected computers. Those accounts could be used to spread links to infected websites with the intention to further spread Neverquest, even though Kaspersky Lab hasn’t seen this method being used yet.

“As early as November, Kaspersky Lab noted instances where posts were made in hacker forums about buying and selling databases to access bank accounts and other documents used to open and manage the accounts to which stolen funds are sent,” Golovanov said. “We can expect to see mass Neverquest attacks towards the end of the year, which could ultimately lead to more users becoming the victims of online cash theft.”

Lucian Constantin is a senior writer at CSO, covering information security, privacy, and data protection.

Copyright © 2019 IDG Communications, Inc.

Source

About IT News Ug

Check Also

Android 4.4 KitKat’s new fullscreen mode minimizes distractions

window.ntvConfig = window.ntvConfig || {} ; window.ntvConfig.keyValues = window.ntvConfig.keyValues || {}; var segs = localStorage.getItem(‘_pnativo’); …

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.